Skip to main content

Part five: The third condition – would the requested third-party personal data be exempt from the right of access?

Contents

If you have decided that the first and second conditions are not satisfied, you must go on to consider the third condition.

The third condition is set out at:

  • sections 40(4A)(a) [general processing] and (b) of FOIA [processing for law enforcement purposes]; and
  • regulations 13(3A)(a) [general processing], (b) [processing for law enforcement purposes], and (c) [intelligence services processing] of the EIR.

The third condition applies when the data subject would not have the right to receive a copy of their own personal data when submitting a subject access request under data protection legislation. This is known as a ‘SAR’.

This means that, if you would not give a copy of the personal data to the person whose personal data it is in response to a SAR, you may not have to disclose it to a requester in response to an FOI or EIR request.

The purpose of the third condition is to make sure that a requester does not have a greater right of access under FOI to third-party personal data than that third party themselves would have under data protection legislation.

You also need to consider the type of processing you are doing because different exemptions from the right of access would apply.

However, these exemptions and exceptions are qualified. Even though the third condition applies, you must conduct the public interest test to decide if you can disclose the information.

This means that sometimes the requested third-party personal data can be disclosed to the world at large even though the person themselves might not have a right to access their own personal information under data protection legislation.

Example

In Martin Rosenbaum vs Information Commissioner and Cabinet Office EA/2020/0093, the First-tier Tribunal rejected the Cabinet Office’s argument that if the requested information would be exempt from the right of access under data protection, it should also not be disclosed under freedom of information legislation.

At para 29, the Tribunal said:

“I am unable to accept that there is such a clear and close alignment between FOIA and DPA (…)”

This is because section 40(4A) is a qualified exemption. If the public interest test favours disclosure, the information should be disclosed even if a data subject could not obtain it in response to a SAR.

As explained before, you must first consider the consequences of confirming or denying before moving on to consider if the requested information would be exempt from the right of access.

Would any of the data protection exemptions apply to the right of access?

To decide if the third condition applies, you need to consider if the requested information would be exempt from the right of access under the UK GDPR.

Under data protection law, people can request a copy of their own personal data from organisations. This is called the right of access. This right is not absolute. Organisations can refuse the request if an exemption applies.

There are several exemptions from the right of access. Different exemptions may be relevant. This depends on the nature of the personal data, and the reasons why you are holding and processing it.

We set out the data protection exemptions most relevant to the right of access in our data protection guidance What other exemptions are there?

If you process personal data for law enforcement purposes, you must consider if the information would be exempt from the right of access under section 45(4) of Part 3 of the DPA18.

When responding to an EIR request, the Intelligence Services must consider if the information would be exempt from the right of access under chapter 6 of Part 4 of the DPA 18.

You must check the wording of any data protection exemption carefully to establish whether it does apply to the right of access.

The test is whether the data subject whose data it is would not have the right to receive the information in question under data protection legislation.

The third condition may apply regardless of whether the data subject has previously submitted a subject access request for that information.

It may also apply even if they have previously received the information.

If you are satisfied that the requested personal information would be exempt from the right of access under data protection, the third condition applies.

Example: information exempt from the right of access

In decision notice FS50197952, the Information Commissioner ordered the Cabinet Office to disclose personal information it had improperly withheld under section 40(4A) of FOIA.

The requester had asked for information relating to a peerage awarded to Lord Ashcroft. Lord Ashcroft had promised the government in 2000 that he would give up his tax exile status.

The Commissioner established that this information would be exempt from the right of access under data protection legislation by virtue of the conferring of honours exemption. This meant that Lord Ashcroft would not be able to have it in response to a SAR.

Therefore, the Commissioner decided that the third condition applied. However, the balance of the public interest favoured disclosure.

The above example is based on the DPA 1998. However, the same approach applies under the current data protection regime.

The third condition could apply to requests for third-party personal data about personnel matters that you hold as manual unstructured data.

We have explained what this type of data is in the section “Do you hold it as unstructured manual data?”.

The right of access extends to this type of data, even though the UK GDPR would not normally apply to non-automated information.

The right of access for this type of information is subject to limitations.

Section 24(3) of the DPA says that it does not apply to manual unstructured data about personnel matters in connection with service in the armed forces, or service in any office or employment under the Crown or under any public authority. This includes data relating to:

  • appointments;
  • removals;
  • pay;
  • discipline;
  • superannuation; or
  • other personnel matters.

Therefore, if you hold personnel data about an employee in hard copy and it is not in a relevant filing system, that employee does not have the right to obtain it under data protection legislation.

This means that if someone else requested it under FOIA or the EIR, the third condition could apply.

If you are satisfied that the request is for third-party personal data and decide that the third condition applies, you can engage the FOI exemption or EIR exception.

You must then go on to consider the public interest test.

How do you apply the public interest test?

If you decide that the third condition applies, you must go on to consider the public interest test. You can only withhold the requested information if the public interest in maintaining the exemption or exception outweighs the public interest in disclosure. If the public interest is evenly balanced, you must disclose the information.

You must assess the balance of the public interest at the time of responding to the request or within the statutory timeframe for compliance, whichever comes first.

Public interest in maintaining the exemption

The public interest arguments for maintaining the exemption are about protecting:

  • the interest identified in the DPA exemption; and
  • the privacy of the data subject.

Protecting the interest identified in the DPA exemption

The exemptions from the right of access in the DPA protect specified interests such as the: 

  • prosecution of offenders and crime prevention;
  • confidentiality of the honours system;
  • intentions of a party in negotiations; and
  • legal professional privilege. 

The DPA says that protecting these interests takes precedence over the right of data subjects to access their own data. This means that there is a public interest in protecting these interests. 

When carrying out the public interest test, you should take this into account as an argument for maintaining the FOI exemption or EIR exception. 

Make sure you consider the wording of the particular data protection exemption: 
 

  • Some of the DPA exemptions apply because the personal data has been processed for a particular purpose. This is similar to a FOIA class-based exemption. For example, the crown honours, dignities and appointments exemption falls into this category.
  • Other DPA exemptions apply because giving a copy of the data to the data subject would prejudice the purpose that the exemption protects. When considering the public interest argument for maintaining the exemption, you must therefore judge how far disclosure under FOIA or the EIR prejudices that purpose. This is similar to a FOIA prejudice-based exemption. For example, the crime and taxation exemption falls into this category. 

Protecting the privacy of the data subject

The second relevant argument to consider in favour of maintaining the exemption is the protection of the data subject’s privacy.

This is likely to be affected if they only see their personal data when it is released to the world under FOIA or the EIR.

For example, personal information that is a record of your thinking when negotiating with an individual is exempt from the right of access under the DPA. This exemption applies if complying with a subject access request would be likely to prejudice those negotiations.

Disclosing this to the world under FOIA or the EIR is likely to have an impact on the data subject’s privacy, as well as affecting the negotiations. This is a public interest argument for maintaining the exemption which is separate from the argument about the need to safeguard the negotiations.

Public interest in disclosure

After considering the arguments in favour of maintaining the exemption, you must examine those in favour of disclosing the information. You should do this objectively. There are always arguments to be made on both sides.

Think about how disclosure of the information would serve the public.

You should always give weight to the general public interest in transparency and accountability. You should then consider specific arguments about why disclosing the requested information would be in the public interest. For example, would it answer questions about decision making or the use of public money?

Make sure you consider any arguments provided by the requester as well as your own arguments.

You should draw up a list showing the arguments you have identified on both sides. This will help you when assessing the relative weight of the arguments. It will also help you to explain your decision to the requester, and the ICO if necessary.

Balancing the public interest arguments

You must balance the public interest arguments in maintaining the exemption against the public interest in disclosing the requested information. The relative weight of the arguments on each side depends on the circumstances of the case.

You must disclose the information unless the public interest in maintaining the FOI exemption or EIR exception outweighs the public interest in disclosure. If you are handling the request under the EIR, you must also apply a presumption in favour of disclosure.

Example: the public interest test favours disclosure

In the Lord Ashcroft example examined before, the Commissioner decided that third condition applied but that the public interest favoured disclosure of the information.

At para. 71, the Commissioner said:

“In the particular circumstances of this case, disclosure of the requested information would serve the public interest in providing a necessary degree of openness and transparency of the honours system generally, but more importantly in relation to this case in particular. The controversial nature of Lord Ashcroft’s nomination and subsequent award of his peerage provide sufficient weight to favour disclosure when balanced against any detriment or harm to Lord Ashcroft or to the honours system (which had changed by the time of the complainant’s request) that would flow from such disclosure.”

Unless you are applying the exclusion from the duty to confirm or deny, you must consider each case on the content of the information and the circumstances at the time of the request.

When you release information under FOIA or the EIR, you are effectively placing it in the public domain for everyone to access it, including the data subject. This means that information which the data subject cannot obtain themselves in response to a SAR is disclosed to a third party in response to a FOIA or EIR request.

In such a case, you could also provide the information directly to the data subject at the same time.

If you need more information on the public interest test, please read our detailed guidance on The public interest test and how exceptions and the public interest work in the EIR.

Alternative FOIA exemptions and EIR exceptions

In cases where the third condition applies, you could rely on other FOIA exemptions and EIR exceptions. This is because some of the SAR exemptions relate to interests that are also protected under FOIA and the EIR, such as:

  • national security;
  • crime and taxation;
  • the conferring of honours; and
  • legal professional privilege.

If information is exempt from the data subject’s right of access because of one of these DPA exemptions, you may wish to consider applying a corresponding exemption in FOIA or exception in the EIR.